In the United States, there is currently, as of July 2021, no overarching national privacy regulation in place. Instead, a number of individual states in the US have passed state privacy laws with the California Consumer privacy Act, or CCPA being the current strictest. A number of states have followed California's lead and implemented portions of CCPA within their own state laws. So as a company doing business in the United States, it's highly likely that you'll serve customers within California or one of the other states that have state privacy laws. Therefore, it's advisable to ensure that your company's operations are following California's CCPA being the current strictest on record. There's also a federal regulation that exists on collecting and using specific types of data within certain industries. For example, medical data that's collected and used in the healthcare industry, educational data and financial data. The concept of data privacy of patients in the medical field is as old as the field itself. Data privacy is encoded in the Modern Hippocratic Oath stating, I will respect the privacy of my patients, for their problems are not disclosed to me that the world may know. The idea of data privacy around medical data was encoded in the Health Insurance Portability and Accountability Act or HIPAA passed in 1996. HIPAA governs the collection and use of what's called protected health information or PHI by organizations called covered entities and their business associates. So what is protected health information or PHI? It's information that relates to one of three categories, a physical or mental condition of a patient. Whether that condition is something that has occurred in the past, a present condition that they have or a predicted condition that they're likely to have in the future. Or the provision of medical service to a patient or the payment of that patient for certain health care services. PHI must identify the individual to which it relates and it has to be created, held or received by a covered entity or by someone's employer. HIPAA generally applies to organizations called covered entities and their business associates. A covered entity is an organization in one of three categories. A covered entity maybe a health care provider itself, such as a hospital or a doctor's clinic, maybe a health insurance provider or it may be a clearinghouse of healthcare data. Business associates of covered entities are likewise also covered under HIPAA. Business associates are vendors or contractors that provide certain services for a covered entity that involve the processing of protected health information. HIPAA requires covered entities to provide detailed privacy notices to their users, clearly stating what information is collected and how it's going to be used. It authorizes covered entities to use PHI for the provision of medical treatment, to process payment and to conduct their operations. But any other usage of PHI requires opt-in authorization from users. HIPAA requires organizations to provide access to their users to their own PHI for review and correction. And also ensures that covered entities must implement certain safeguards to protect pHI. For example, covered entities have to designate a privacy official and they must ensure that they have ongoing monitoring of compliance with HIPAA. In the education sector, the primary data privacy law is the Family Educational Rights and Privacy Act, or FERPA, which was passed in 1974 to provide students with control over the disclosure of their educational data. FERPA applies to all educational institutions that receive federal funding, which in general is almost all public or private schools in the United States. FERPA covers records related to a student that are maintained either by a school itself or by a vendor on behalf of the school. Records covered on their FERPA would include grades, financial information, things like disciplinary records. But FERPA another way does not include directory information, such as a person's major or the year that they've graduated. Schools are able to publish such directory information, although they are required to provide opt-out policies so that users can opt-out of having their information shared in such directories. FERPA allows schools to disclose protected information only under certain conditions. The first is that the disclosure is made to the student himself or herself or to the students parent, if the student is under 18. Second condition is that the student provides consent to disclose their own information or if the student is under 18, the parent provides consent on behalf of the student. Or the third condition is that the information is in no way personally identifiable, in which case it may be disclosed and shared. FERPA also requires institutions to provide students with the right to access their own information and to review it for accuracy. In the financial sector, there's a number of laws which govern different aspects of data privacy for financial data. A couple of the key laws here are the Fair Credit Reporting Act or FCRA of 1970. A Fair & Accurate Credit Transaction Act of 2003 and the Gramm-Leach-Bliley Act of 1999. Notably, the financial industry is also subject to a number of roles which require disclosure of financial data in certain cases, for example, to prevent money laundering. Let's take a look at a couple of the key laws in the financial sector which govern privacy of financial data. The Fair Credit Reporting Act of 1970 regulates the consumer credit reporting industry. FCRA applies when consumer credit reporting data is used for things such as offering credit, insurance and background checks. FCRA requires organizations which collect data for the purpose of consumer reporting or use such data to limit the use of their consumer reporting data only to certain permissible purposes. They are also required to provide consumers with the ability to access their own data that's collected in their credit report and to be able to correct their data if they find inaccuracies. And finally, FCRA requires companies who are using credit reporting data to make decisions about certain users to notify those users when their data has been used to make an adverse decision. So, for example, a mortgage company that might use a consumer credit report to determine whether somebody should be approved for a mortgage has to notify users who have been rejected for mortgages due to their credit report that this is the case and that they've been rejected because of information contained in their credit report. The second important source of financial data privacy is the Gramm-Leach-Bliley Act of 1999. GLBA's passage in 1999 led to a major restructuring in the financial services industry. As part of the restructuring, it put two primary rules in place to govern the privacy of financial data, the privacy rule and the safeguards rule. Privacy rule implemented a standard for privacy notices from financial organizations to share with their users how their data was being collected and used. It also required that organizations provide an opt-out to their customers so that their data would not be shared externally to the financial organization that has collected it. And the safeguards rule required financial institutions to implement a comprehensive information security program. And to put in place administrative, technical and physical safeguards to ensure the confidentiality of data they've collected from their customers.
